Re: [fw-wiz] An interesting VPN problem
From: Patrick M. Hausen (hausen_at_punkt.de)
Date: 08/29/03
- Previous message: Mike Hoskins: "RE: [fw-wiz] result question"
- In reply to: Jonas Anden: "[fw-wiz] An interesting VPN problem"
- Next in thread: Ben Nagy: "RE: [fw-wiz] An interesting VPN problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Jonas Anden <dajudge@home.se> Date: Fri, 29 Aug 2003 08:52:44 +0200 (CEST)
Hi all!
> Hi all you Wizes out there. I've got a bit of a problem that I think you
> might help me solve...
Unfortunately I don't know PIXen, but I think I can give you
two general directions to investigate:
> I've got two Cisco PIX 501 with the latest software (6.3.1). We're
> trying to use them to set up a remote site with *all* client traffic on
> the remote network being redirected through the site-to-site tunnel
> (including the traffic that should ultimately end up on the Internet).
> Traffic from the remote network not targeted for the local network
> should be routed through a firewall reachable from the local network.
>
> My network looks like this:
>
>
> [L-NET]<-+--->[FW]<---+->[B-GW]<-->[INET]<-->[R-PIX]<-->[R-NET]
> | |
> +-->[L-PIX]<-+
So, if the PIXen only do site-to-site VPN and you want all your
internal-to-Internet traffic to leave through the firewall at L-Site,
you could use something called policy routing. As I said, I don't know
if PIXen are "IOS'y" enough, but I did it in a couple of places
with Cisco routers like this:
L-PIX/router:
interface tun0
descr tunnel to R-NET
ip route-cache policy
ip policy route-map vpn-to-internet
route-map vpn-to-internet permit 10
match ip address 101
set ip next-hop <insert internal IP of firewall here>
access-list 101 remark match traffic that comes out of R-NET and is not (!) directed to L-NET
access-list 101 deny ip <R-NET> <R-NET-INVERSE-MASK> <L-NET> <L-NET-INVERSE-MASK>
access-list 101 permit ip <R-NET> <R-NET-INVERSE-MASK> any
Works like a charm, but I think in your case that's waaaaayyy to
complicated, because - if I understood you correctly - you can achieve
the same with simple routing:
Why should L-PIX know about "the Internet" at all? (read: why should
it have a default route pointing to the Internet?)
Set up your routing tables on the PIXen like this:
R-PIX:
Host route for external IP address of L-PIX directed to "the Internet"
Default route to tunnel
L-PIX:
Host route for external IP address of R-PIX to "the Internet"
Network route for R-NET to the tunnel
Default route to _internal_ IP address of firewall
Firewall:
Network route for R-NET to internal IP address of L-PIX
(you probably have that already)
HTH,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mike Hoskins: "RE: [fw-wiz] result question"
- In reply to: Jonas Anden: "[fw-wiz] An interesting VPN problem"
- Next in thread: Ben Nagy: "RE: [fw-wiz] An interesting VPN problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
